The Freedom of Information and Protection
of Privacy (FOIP) Act and the Hiring Process

Unsolicited Résumés

If there is no job open, then you are not making a decision using the personal
information in unsolicited résumés and the one-year retention
requirement described below does not apply. Even if you do not keep unsolicited
résumés when you receive them, you should take reasonable care
when disposing of them so that no one can misuse the personal information they
contain. You should shred paper copies and delete electronic copies.

Keep a résumé for a year if you use it to make a decision. If
you use it to make a decision to hire or not hire the individual, you have to
keep the résumé for at least a year so the individual can obtain
access to it.

If you use information in a résumé (or simply hold onto to it
for possible future use), you are responsible for protecting the personal information
in it and for responding to the individual's enquiries about how her or his
personal information has been used or disclosed.

Types of Personal Infomration that can be Collected in the Hiring Process

The FOIP Act allows an employer to request any personal information that
is necessary to the hiring decision. Typically, that might include relevant
qualifications, experience, knowledge, skills and abilities as well as answers
to interview questions and skill tests. It would not be necessary for an employer
to require personal information for any purpose other an assessing suitability
for the job and establishing an employment relationship.

You have to be able to show your collection and use of the personal information
is reasonably required to determine the job applicant's suitability for the
position. For example, credit checks on a job applicant should only be conducted
if you can establish that the information is both relevant and necessary to
verify the applicant's ability to perform the job functions and that the verification
cannot be done through less intrusive means.

Once you have made a hiring decision, you can use and disclose employee personal
information without consent if doing so is reasonable for the purpose of establishing
or managing an employment relationship. Canada Revenue Agency registrations
for income tax purposes or enrollment in employee benefit plans are two examples
of post-hiring use of employee personal information.

Reference Checks

Assume the job applicant's consent for contact with listed references. An
applicant who has listed references in a job application or résumé
implicitly consents to your contacting listed references, but only so you can
collect reference information that is reasonably related to the job requirements.
Although not strictly required when you conduct a reference check on a job applicant,
it is a good practice to first confirm that the applicant has authorized the
referee to talk to you.
Although you do not need the job applicant's consent, notify applicants about
reference inquiries from persons other than those the job applicant lists as
references. If the applicant objects, the FOIP Act would not stop you from inviting
him or her to withdraw from the hiring process or from weighing the refusal
to consent in determining the applicant's suitability for the position.

Confidentiality of Information Received from a Referee

Confirm confidentiality with referees. If you prefer not the reveal a referee's
comments to the job applicant, it is best to make it clear to the referee in
advance that his or her opinions will be received in confidence, document this
agreement, and tell the applicant that all references will be received in confidence.
However, there is no guarantee that job applicants will not be able to access
comments by referees to prospective employers, as the FOIP Act gives individuals
a right of access to their own personal information. Any factual information
obtained about a job applicant and referees' opinions about an applicant are
the applicant's personal information.
Referees' opinions about a job applicant are the applicant's personal information
and, therefore, you cannot guarantee that referees' comments will remain confidential.
As for a referee's identify, the referee's name is the personal information
of the referee and may be withheld.

Use of Personal Information Collected During the Hiring Process for Other
Purposes

You can use personal information you collect during the hiring process for
another purpose only if that other purpose has a reasonable and direct connection
to the original purpose. Orientation and training can be considered part of
the hiring process, so it is reasonable to assume that personal information
collected from job applicants might be used for that purpose.

If the other purpose is not reasonably and directly connected to the original
purpose, then you have to tell the job applicant what the other purpose is and
get the applicant's consent. For example, it would not seem obvious that you
would send someone's résumé to another employer who might be hiring,
even though that might appear to benefit the applicant. When in doubt, give
notice and get consent.

Protect and Retain Personal Information Collected During the Hiring Process

Section 38 of FOIP requires an organization to make "reasonable security
arrangements" to protect personal information from "unauthorized access,
collection, use, disclosure or destruction". In other words, you should
at the very least take the same precautions you might use for any document you
want to protect from improper use by staff or anyone else. The greater the sensitivity
of the employee personal information, the greater the need for protection. For
example, it is reasonable to expect a higher level of security for an employee's
medical information than for a résumé.
If you use an individual's personal information to make a decision that directly
affects him or her (like hiring or not hiring), you have to keep it for at least
a year after you make the decision, so that the individual has a reasonable
opportunity to obtain access to it. This would include interview notes and other
information about or related to the assessment of candidates. If an individual
requests her or his own information of this kind, personal information of other
candidates found in records containing the applicant's information would have
to be withheld from the applicant.
If you do not use personal information for a decision, you either have to destroy
it or else make it anonymous by removing any information that would identify
a particular individual. You need to do this as soon as the purpose for which
it was collected is no longer being served and you no longer need it for legal
or business purposes.

Other FOIP Obligations that Apply to Personal Information Collected During
the Hiring Process

Know when information can not be given out. The bottom line is that anyone
- including an employee and an unsuccessful job applicant - has a right to be
given access to his or her own personal information, to know how it is being
used or has been used, and to know to whom and in what situations it has been
disclosed. However, the FOIP Act permits or requires you in certain circumstances
to deny someone access to their own personal information - for example, where
disclosure would harm someone else, harm an investigation or legal proceeding,
result in the disclosure of someone else's personal information, or disclose
confidential business information. If such information can be removed from a
document, you have to give access to the rest of the document after the information
is removed.
Make sure information is accurate and complete. Respond to requests for correction.
Anyone who believes there is an error or omission in his or her personal information
can ask the organization to correct it. If the information needs correction,
you must make the correction as soon as possible. If, on the other hand, you
decide the information needs no correction, you must annotate the personal information
to record the correction that was requested but not made. Like all of the FOIP
Act requirements, this applies to paper and electronic records.
If you do make a requested correction, you must send the corrected information
to every organization to which you have disclosed the information during the
year before the correction date. And if you are notified by another organization
that it has corrected an individual's personal information that was disclosed
to it, you must also correct that personal information if it is under your organization's
control.
If you need more information or have questions about situations not covered
by this document, you can call the Privacy and Policy Coordinator.

Acknowledgment

AU wishes to acknowledge its reliance on information published by the Office
of the Information and Privacy Commissioner for British Columbia, which was
used in the preparation of this guideline.